Hello everyone I did some further investigation, it seems like the certificate isn’t the problem. I tried this with a certificate generated by the PKI tool, and the same messages are still in the log.
Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any Apr 19 12:15:07 fwhq05 charon: 08[IKE] assigning virtual IP 192.168.8.1 to peer '…' Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any6 Apr 19 12:15:07 fwhq05 charon: 08[IKE] no virtual IP found for %any6 requested by '…' Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22) Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI c53c8641 Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22) Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI ab3a3b48 Apr 19 12:15:07 fwhq05 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel So no old kernel, no certificate… what else can it be? Kind regards, Jeroen. From: Users <[email protected]> On Behalf Of Jeroen Landheer Sent: Friday, 19 April 2019 11:50 To: Thomas Egerer <[email protected]>; [email protected] Subject: Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22) Thanks for the response Thomas You’re right that this kernel is old, it’s Ubuntu 16.04 so I decided to replace that machine with the much newer Debian 9.8. I’m now on kernel version 4.9.0-8-amd64, but this hasn’t helped. I’m actually thinking this might have to do with the certificate I’m using, since the certificate was generated by a Microsoft Certificate Authority, not the internal PKI tools. I created the private key on the Debian machine using the ipsec pki tool, next I generated a certificate request using that same tool and used this request to let my CA issue a certificate. Here’s some info about the certificate, using the certutil tool on Windows: X509 Certificate: Version: 3 Serial Number: 38000000bda7de55e826a360e20000000000bd Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Algorithm Parameters: 05 00 Issuer: CN=… Name Hash(sha1): 02de19ec77e1b73e3ee81fbf33040929b61510af Name Hash(md5): 2507479912498e5c82c4d715d6f2b36f NotBefore: 18/04/2019 17:11 NotAfter: 17/04/2021 17:11 Subject: CN=Company Firewall O=Company Name Hash(sha1): c1ecb37bbdab3a3e5fd38af556ea105228b463f1 Name Hash(md5): bc0ce29929023983b116aef799b85701 Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 Public Key Length: 4096 bits Public Key: UnusedBits = 0 0000 30 82 02 0a 02 82 02 01 00 a1 ea 0d 54 16 07 92 0010 d9 57 cc 5f 64 1e 6e 03 45 98 ce 23 83 7d 38 a2 … 01f0 cb 03 95 87 f5 05 f3 09 58 b4 37 52 69 0d 75 e2 0200 59 c7 55 53 8c bc 31 0f 55 02 03 01 00 01 Certificate Extensions: 9 2.5.29.17: Flags = 0, Length = 3e Subject Alternative Name DNS Name=… DNS Name=… DNS Name=… 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 18ac7e7d52238f02579e8190ea68f3ce283d9d77 2.5.29.35: Flags = 0, Length = 18 Authority Key Identifier KeyID=82785767ff34df9161f00a37dc4df7a9d387732b 2.5.29.31: Flags = 0, Length = 59 CRL Distribution Points [1]CRL Distribution Point Distribution Point Name: Full Name: URL=….. 1.3.6.1.5.5.7.1.1: Flags = 0, Length = 91 Authority Information Access [1]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=… [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=… 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30 Certificate Template Information Template=VPN Server(1.3.6.1.4.1.311.21.8.7409278.1580920.3752321.8005686.9414170.164.2713793.11843046) Major Version Number=100 Minor Version Number=5 2.5.29.37: Flags = 0, Length = 20 Enhanced Key Usage Server Authentication (1.3.6.1.5.5.7.3.1) IP security IKE intermediate (1.3.6.1.5.5.8.2.2) Client Authentication (1.3.6.1.5.5.7.3.2) 1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26 Application Policies [1]Application Certificate Policy: Policy Identifier=Server Authentication [2]Application Certificate Policy: Policy Identifier=IP security IKE intermediate [3]Application Certificate Policy: Policy Identifier=Client Authentication Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 53 a4 15 5f fa 88 1e 76 7f af e3 d9 94 bb 0f 05 0010 5e 55 fa b8 c1 58 78 bf 78 71 1f 8c aa 89 83 14 … 00e0 fb 7f 80 fd aa cf 5f 7d ba c6 e8 05 93 0c 76 78 00f0 9b da 12 bd 49 43 33 00 fe 97 c0 e9 c5 b7 20 18 Non-root Certificate Key Id Hash(rfc-sha1): 18ac7e7d52238f02579e8190ea68f3ce283d9d77 Key Id Hash(sha1): 0dd4d49ae7cb0a17cba19871b82a0e90a86ce5f7 Key Id Hash(bcrypt-sha1): df7f493937a1b175d83b27935f7ea1528bfd73ff Key Id Hash(bcrypt-sha256): ed3bcef6c9c725b72a26a658ee8037533b1046724a75772ce10ee83b80ed547f Key Id Hash(md5): 89d062523ffb9998f9617e1c58d51bfc Key Id Hash(sha256): f4a7bd1e71d1c6422eca8fdcdfb3c8c184e72cb8bbbe242de97a2c3c68698d1b Key Id Hash(pin-sha256): nO3Yrqy2aZhe9UfSwzGkWGWOF9GhThXmWaBjUGU/y3s= Key Id Hash(pin-sha256-hex): 9cedd8aeacb669985ef547d2c331a458658e17d1a14e15e659a06350653fcb7b Cert Hash(md5): ac80ead487d9100456004dfb8bf63a4d Cert Hash(sha1): 421247d634be3256c9a2112eee82dc85bfc63b95 Cert Hash(sha256): c4c563b0b0a76f59ddfdee044c75f0550b9b02e24065cb2b0bddd755641fb8ee Signature Hash: 5384636758d9dffcc8bdc722c0deafa0e573ce7f51e5b3f87439f21a2f2d9af1 Using openssl x509 -in certfile.crt -text -noout yields the same results. When I generate a CA certificate + a server certificate simply using the PKI tools, this yields a certificate with SHA384RSA instead of a SHA256RSA cert. Could this be part of the issue, or am I missing something else? Kind regards, Jeroen. From: Thomas Egerer <[email protected]<mailto:[email protected]>> Sent: Wednesday, 17 April 2019 20:07 To: Jeroen Landheer <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22) Hi Jeroen, don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]: <quote> Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode. </quote> Hth Thomas [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <[email protected]<mailto:[email protected]>> wrote: This apears in my log file: Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1 to peer 'jlan--------------e.nl' Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22) Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI cf789c5c Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22) Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI b651e5ec Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel It seems that somehow strongswan can't assign a virtual IP address to the peer. Config: config setup charondebug="all" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha1,3des-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any [email protected]<mailto:[email protected]> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0,::/0 right=%any rightid=%any rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9 rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64 rightsendcert=never rightauth=eap-mschapv2 eap_identity=%identity If I run the check script for the kernel modules, I get this: (this is basically a standard ubuntu setup) CONFIG_XFRM_USER=m CONFIG_NET_KEY=m # CONFIG_NET_KEY_MIGRATE is not set CONFIG_INET=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_TUNNEL=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_INET_LRO=y CONFIG_INET_DIAG=m CONFIG_INET_TCP_DIAG=m CONFIG_INET_UDP_DIAG=m CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_XFRM_TUNNEL=m CONFIG_INET6_TUNNEL=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m CONFIG_INET_DCCP_DIAG=m CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_IPV6=y CONFIG_IPV6_ROUTER_PREF=y CONFIG_IPV6_ROUTE_INFO=y # CONFIG_IPV6_OPTIMISTIC_DAD is not set CONFIG_IPV6_MIP6=m CONFIG_IPV6_ILA=m CONFIG_IPV6_VTI=m CONFIG_IPV6_SIT=m CONFIG_IPV6_SIT_6RD=y CONFIG_IPV6_NDISC_NODETYPE=y CONFIG_IPV6_TUNNEL=m CONFIG_IPV6_GRE=m CONFIG_IPV6_MULTIPLE_TABLES=y CONFIG_IPV6_SUBTREES=y CONFIG_IPV6_MROUTE=y CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y CONFIG_IPV6_PIMSM_V2=y CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_IPV6_MULTIPLE_TABLES=y CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_NETFILTER_ADVANCED=y CONFIG_NETFILTER_INGRESS=y CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_ACCT=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_NETLINK_GLUE_CT=y CONFIG_NETFILTER_SYNPROXY=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_MARK=m CONFIG_NETFILTER_XT_CONNMARK=m CONFIG_NETFILTER_XT_SET=m CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m CONFIG_NETFILTER_XT_TARGET_CT=m CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_HL=m CONFIG_NETFILTER_XT_TARGET_HMARK=m CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m CONFIG_NETFILTER_XT_TARGET_LED=m CONFIG_NETFILTER_XT_TARGET_LOG=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_NAT=m CONFIG_NETFILTER_XT_TARGET_NETMAP=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set CONFIG_NETFILTER_XT_TARGET_RATEEST=m CONFIG_NETFILTER_XT_TARGET_REDIRECT=m CONFIG_NETFILTER_XT_TARGET_TEE=m CONFIG_NETFILTER_XT_TARGET_TPROXY=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m CONFIG_NETFILTER_XT_MATCH_BPF=m CONFIG_NETFILTER_XT_MATCH_CGROUP=m CONFIG_NETFILTER_XT_MATCH_CLUSTER=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_CPU=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m CONFIG_NETFILTER_XT_MATCH_DSCP=m CONFIG_NETFILTER_XT_MATCH_ECN=m CONFIG_NETFILTER_XT_MATCH_ESP=m CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_HL=m CONFIG_NETFILTER_XT_MATCH_IPCOMP=m CONFIG_NETFILTER_XT_MATCH_IPRANGE=m CONFIG_NETFILTER_XT_MATCH_IPVS=m CONFIG_NETFILTER_XT_MATCH_L2TP=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_NFACCT=m CONFIG_NETFILTER_XT_MATCH_OSF=m CONFIG_NETFILTER_XT_MATCH_OWNER=m CONFIG_NETFILTER_XT_MATCH_POLICY=m CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_QUOTA=m CONFIG_NETFILTER_XT_MATCH_RATEEST=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_RECENT=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_SOCKET=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STATISTIC=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_TIME=m CONFIG_NETFILTER_XT_MATCH_U32=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_MATCH_POLICY=m Kernel version: 4.4.0-145-generic Any idea how to diagnose this issue? Kind regards, Jeroen. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
